99% of Android phones could be vulnerable to hackers

Use Android? Wow, there's a lot of you now, isn't there? The good news is you're on the most upwardly mobile OS around, with great new handsets, apps and platform updates popping out of the woodwork at every turn.

The bad news, though, is that fully 99% of you might be leaving your personal data wide open to attack thanks to a glitch in how your credentials are stored on Android's servers.

Researchers at Germany's University of Ulm have discovered that every Android phone running version 2.3.3 or earlier of the OS – in other words nearly all of them – have an issue with an on-board authentication protocol called ClientLogin.

Whenever you log into Google Calendar, Contacts and potentially other services, the system sends an authentication token that stays accessible for up to 14 days, potentially leaving an open door for attackers to exploit.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers revealed last week. “The short answer is: Yes, it is possible, and it is quite easy to do so.”

Attacks would only be possible over unsecured Wi-Fi networks, and Google has already patched the hole with the release of Android version 2.3.4 earlier this month. But with as little as 1% of users having actually applied the update so far, the door effectively remains wide open.

Of course, this doesn't mean even one single user has had their details nicked by a bad sort, but the danger is there. One scenario raised by security researchers is that hackers could set up dummy Wi-Fi hotspot to try and lure unsuspecting users on board.